Bangladesh Bank SWIFT heist
Lazarus operators sent fraudulent SWIFT instructions through the New York Fed to wire $951 million out of Bangladesh Bank's reserve account. A typo on one transfer stopped $850M; $81M still escaped to Philippine casinos.
- Victim
- Bangladesh Bank
- Loss
- $81.0M
On 4 February 2016, operators from North Korea's Lazarus Group issued 35 fraudulent SWIFT MT103 transfer instructions worth approximately $951 million from Bangladesh Bank's reserve account at the Federal Reserve Bank of New York. Most were caught by a stroke of luck β a typo on one transfer triggered manual review of the others β but $81 million still escaped into the Philippine financial system and was effectively unrecoverable.
What happened
Lazarus operators had been resident on Bangladesh Bank's network for approximately a year, gaining access via spearphishing of bank employees and slowly mapping the bank's internal procedures, including the workstations connected to the SWIFT Alliance Access system used to issue international transfer instructions to the Fed.
On the night of 4 February 2016 β a Thursday, ahead of Bangladesh's Friday-Saturday weekend β operators issued the 35 transfer instructions in rapid sequence:
- $20 million to Pan Asia Banking, Sri Lanka, ostensibly to the "Shalika Foundation".
- $81 million in four transfers to RCBC Bank in Manila, into accounts under fictitious names.
- 30 additional transfers totalling ~$850 million, also bound for RCBC Manila.
The operators simultaneously deployed custom malware that suppressed the bank's local SWIFT message confirmation printer, delaying internal detection.
The operation began unravelling because the Sri Lanka transfer's beneficiary was misspelled as "Shalika Fandation" instead of "Shalika Foundation". Deutsche Bank's compliance team, processing the transfer as a correspondent, flagged the spelling for manual review. That review prompted scrutiny of the broader transfer batch β and the New York Fed flagged the remaining 30 transfers totalling $850 million before they cleared.
The $81 million already routed to RCBC Manila moved through accounts opened with falsified KYC documents, was converted to Philippine pesos, and was wired to several Philippine casinos. From casino accounts the funds were converted to gambling chips, cycled through gaming, then withdrawn. By the time Bangladesh Bank notified authorities, the trail had effectively been laundered.
Impact
- $81 million stolen from Bangladesh Bank reserves. ~$18 million was eventually recovered from RCBC; ~$63 million remains unaccounted for.
- The Governor of Bangladesh Bank and several deputy governors resigned over the incident.
- RCBC Bank was fined β±1 billion (~$20M) by the Bangko Sentral ng Pilipinas, the largest fine ever levied by Philippine banking regulators.
- The SWIFT network's Customer Security Programme was created in response, mandating baseline security controls and customer attestations for every connected institution.
Attribution
In September 2018, the U.S. Department of Justice unsealed an indictment naming Lazarus operator Park Jin Hyok as a participant in the Bangladesh Bank heist alongside the 2014 Sony Pictures attack and the 2017 WannaCry outbreak. The forensic case linked all three operations via shared malware code, command-and-control infrastructure, and operator OPSEC failures.
The U.S. assessment is that the operation was conducted by North Korea's Reconnaissance General Bureau as a state-sponsored financial theft to evade international sanctions and fund DPRK weapons programs.
Why it matters
Bangladesh Bank is the canonical case for state-sponsored attacks on the global financial messaging infrastructure. The operation demonstrated:
- That SWIFT-connected workstations are critical assets requiring banking-grade security, not generic enterprise IT controls.
- That typos and printer outages can be load-bearing detection signals β the heist nearly succeeded entirely, blocked only by a misspelled beneficiary and an alert correspondent bank.
- That post-fraud asset recovery across jurisdictions is extraordinarily limited; once funds reach a non-cooperating banking system and are laundered through casinos or shell companies, recovery rates fall toward zero.
The same Lazarus crew has since attempted SWIFT-style operations against banks in Vietnam, Ecuador, Taiwan, Chile, and Mexico, with mixed success. The doctrine of attacking interbank settlement systems is now an established Lazarus capability.
Financial impact
Reported costs in USD
- Business loss$81.0M
Timeline
Lazarus operators establish persistence on Bangladesh Bank's SWIFT-connected workstations via spearphishing of bank employees.
Operators issue 35 SWIFT MT103 transfer instructions totalling $951 million from Bangladesh Bank's account at the Federal Reserve Bank of New York.
The New York Fed flags 30 of the transfers because the routing instructions misspell 'foundation' as 'fandation'. The remaining 5 transfers totalling $101M proceed.
Operators deploy malware (BANKSHOT / a custom SWIFT Alliance Access trojan) to delete the local SWIFT message confirmations, delaying detection by the bank.
Bangladesh Bank discovers the unauthorized transfers when the printer that auto-prints SWIFT confirmations fails to produce expected receipts.
$20M wired to Sri Lanka is recovered after a typo (Shalika Foundation β Shalika Fandation) triggers a manual review at Deutsche Bank.
Of $81M routed to RCBC Bank in the Philippines, ~$18M is recovered; the remainder is laundered through Philippine casinos and remains unaccounted for.
U.S. DOJ indictment of Lazarus operator Park Jin Hyok formalizes attribution to North Korea.
Sources
- justice.govhttps://www.justice.gov/opa/press-release/file/1092091/dl
- bis.orghttps://www.bis.org/cpmi/publ/d170.pdf
- reuters.comhttps://www.reuters.com/investigates/special-report/cyber-heist-federal/